MAG Webserver Health Check using incorrect source IP causing the Web server to be displayed as DOWN
This document (7014116) is provided subject to the disclaimer at the end of this document.
NetIQ Access Manager 3.2 Support Pack 2 applied
Strong network level security enabled only allowing access to specific resource from certain IP addresses
Despite this, the healthcheck reported in iManager for this working AG shows that many of the Web servers are DOWN. Traces show that the heartbeat requests from the AG to the Web servers are using the primary IP address for the web server healthchecks, that are all being blocked at the Firewall. There is no option to change the source IP address of the outgoing request to be a specific interface for the healthchecks as we do with the 'Make Outbound Connection Using'option above when users access the web server.
The following is an example of how to do this:
iptables -t nat -A POSTROUTING -d 10.10.10.10 -s 192.168.1.1 -j SNAT –to-source 192.168.1.9
This rewrites our source address to look like the packets are coming from 192.168.1.9 instead of 192.168.1.1, but only when packets are destine for 10.10.10.10. The above example can be further locked for for specific interfaces (-o eth0), specific TCP ports (-m tcp --dport 80) if needed.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7014116
- Creation Date:14-NOV-13
- Modified Date:14-NOV-13
- NetIQAccess Manager (NAM)
Did this document solve your problem? Provide Feedback